Passwords – the bad news and the good news

Back in 2003, Bill Burr, a manager at the National Institute of Standards and Technology (NIST), wrote a paper about computer passwords that eventually became the password mess we find ourselves in today. Burr’s eight-page password recommendation document, titled NIST Special Publication 800-63. Appendix A advised people to use irregular capitalization, special characters, and at least one numeral in their passwords. He was also the guy that suggested we change our perfectly good passwords every 90 days.

In an interview published in early August 2017 in The Wall Street Journal Burr said: “Much of what I did I now regret.” Burr is 72 years old and now retired.

In 2011, Randall Munroe (creator of the fabulously nerdy xkcd web comic) summed up the problems with passwords as “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” Here is a link to the xkcd panel about password strength: https://xkcd.com/936/

Here’s the good part. In Appendix A the NIST reports “Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication. Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”

So, if the old way isn’t working, what do they suggest? Hard to read between the lines here but it looks like we may be moving toward long passwords that use random common words or passphrases. Long seems to be the way to go.

Going back to Randall Munroe’s example cited above, we seem to be headed in a direction where four random common words can be your password; something like correct horse battery staple would be a valid password.

Now we just need every web site on the planet to change their security policies.

Changing the size of text in your browser

Every browser has a way to make the text on a web page larger, but it’s different in each browser. Here’s an easy way that works on any Windows browser:

Press and hold down Ctrl while scrolling the mouse button

Special bonus: this tip works on almost any program that runs on Windows

If only…

My computer could be more encouraging. You know, instead of “invalid password,” why not something like, “Ooooh, you’re so close!”? – Lisa Porter

(I couldn’t find anything about the specific Lisa Porter that may have said this, but it’s a good quote, and it fits this week, so here it is.)

Do you have a computer or technology question? Greg Cunningham has been providing Tehachapi with on-site PC and network services since 2007. Email Greg at greg@tech-hachapi.com.

Greg Cunningham and tech-hachapi.com are not affiliated with anybody anywhere and operate as an independent, state-licensed, insured, and certified locally-owned and operated onsite computer repair service company.

Disclaimer: The physical address listed on any marketing associated with tech-hachapi.com is solely intended to represent that onsite computer repair service is available only in the greater Tehachapi area.
Any address so listed is not intended to be visited in person by potential or current customers, nor is such physical address an actual store.